Skip to content

React consulting lead-capture endpoint is unprotected #4823

Description

@isaaclombardssw

The /api/lead-capture route added with the React consulting v3 page (#4777) is a public endpoint that spends the JotForm API key and fires the Power Automate CRM flow on every call, with nothing gating it:

  • Middleware only sets headers — no auth, origin check, or rate limit
  • The *.azurewebsites.net origin and preview slots bypass Cloudflare entirely
  • JotForm's own limit is just a daily API-call quota (hitting it blocks legit submissions too), and the API path bypasses the form's built-in CAPTCHA

So it can be scripted to spam leads into both JotForm and the CRM.

Fix: require a Cloudflare Turnstile token (we already have a Cloudflare account; Turnstile is free) before the route does any JotForm/CRM work — fail closed.

While here, also restore a few fixes prepared during review of #4777 that didn't land: SEO metadata on the React page, process step zero-padding, Tailwind token usage, and the removed next/image objectFit prop.

Affected routes: /consulting/react

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    🤷‍♂️ Needs Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions